stored_user_password not being deleted after verification

Hello,

In working with your plugin I came across a non-fatal issue.

In the rpr_login_form_verifyemail function in the rpr-login.php file you have this condition:

if ( empty( $user_password ) ) {

You should probably add an “else” case with the following:

delete_user_meta( $user_id, ‘stored_user_password’ );

Otherwise the stored_user_password is left in the usermeta table.

You may want to consider encrypting the value with a 2-way encryption routine just so a password isn’t in there as plain text.

I also noticed, in the same function, that you are outputting text with sprintf with the %s being set to $user_login. However, you haven’t set this variable anywhere in the function. Though I know you know this, the following should do the trick:

$userinfo = get_userdata($user_id);
$user_login = $userinfo->user_login;

Or using first + last… if available…

Thanks for a great plugin. I did end up pulling out the rpr_login_form_verifyemail function as my client wants all login related activity handled from within a custom page template and not through wp-login.php.

Jeff

http://wordpress.org/extend/plugins/register-plus-redux/